net/netfilter/core.c
Source file repositories/reference/linux-study-clean/net/netfilter/core.c
File Facts
- System
- Linux kernel
- Corpus path
net/netfilter/core.c- Extension
.c- Size
- 19559 bytes
- Lines
- 828
- Domain
- Networking Core
- Bucket
- Sockets, Protocols, Packet Path, And Network Policy
- Inferred role
- Networking Core: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Networking stack implementation surface: socket APIs, protocol dispatch, packet flow, routing, filtering, and network namespaces.
- Networking stack implementation surface: socket APIs, protocol dispatch, packet flow, routing, filtering, and network namespaces.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/kernel.hlinux/netfilter.hnet/protocol.hlinux/init.hlinux/skbuff.hlinux/wait.hlinux/module.hlinux/interrupt.hlinux/if.hlinux/netdevice.hlinux/netfilter_ipv6.hlinux/inetdevice.hlinux/proc_fs.hlinux/mutex.hlinux/mm.hlinux/rcupdate.hnet/net_namespace.hnet/netfilter/nf_queue.hnet/sock.hnf_internals.h
Detected Declarations
function __nf_hook_entries_freefunction nf_hook_entries_freefunction accept_allfunction nf_hook_entries_growfunction hooks_validatefunction nf_hook_entries_insert_rawfunction nf_hook_entry_headfunction nf_ingress_checkfunction nf_ingress_hookfunction nf_egress_hookfunction nf_static_key_incfunction nf_static_key_decfunction __nf_register_net_hookfunction nf_remove_net_hookfunction __nf_unregister_net_hookfunction nf_unregister_net_hookfunction nf_hook_entries_delete_rawfunction nf_register_net_hookfunction nf_register_net_hooksfunction nf_unregister_net_hooksfunction nf_hook_slowfunction nf_hook_slow_listfunction list_for_each_entry_safefunction nf_ct_attachfunction nf_conntrack_destroyfunction nf_ct_set_closingfunction nf_ct_get_tuple_skbfunction __netfilter_net_initfunction netfilter_net_initfunction netfilter_net_exitfunction netfilter_initexport nf_hooks_neededexport nf_hook_entries_insert_rawexport nf_unregister_net_hookexport nf_hook_entries_delete_rawexport nf_register_net_hookexport nf_register_net_hooksexport nf_unregister_net_hooksexport nf_hook_slowexport nf_hook_slow_listexport nfnl_ct_hookexport nf_ct_hookexport nf_defrag_v4_hookexport nf_defrag_v6_hookexport nf_ctnetlink_has_listenerexport nf_nat_hookexport nf_ct_attachexport nf_conntrack_destroy
Annotated Snippet
if (orig_ops[i] == &dummy_ops) {
++i;
continue;
}
if (inserted || reg->priority > orig_ops[i]->priority) {
new_ops[nhooks] = (void *)orig_ops[i];
new->hooks[nhooks] = old->hooks[i];
i++;
} else {
new_ops[nhooks] = (void *)reg;
new->hooks[nhooks].hook = reg->hook;
new->hooks[nhooks].priv = reg->priv;
inserted = true;
}
nhooks++;
}
if (!inserted) {
new_ops[nhooks] = (void *)reg;
new->hooks[nhooks].hook = reg->hook;
new->hooks[nhooks].priv = reg->priv;
}
return new;
}
static void hooks_validate(const struct nf_hook_entries *hooks)
{
#ifdef CONFIG_DEBUG_MISC
struct nf_hook_ops **orig_ops;
int prio = INT_MIN;
size_t i = 0;
orig_ops = nf_hook_entries_get_hook_ops(hooks);
for (i = 0; i < hooks->num_hook_entries; i++) {
if (orig_ops[i] == &dummy_ops)
continue;
WARN_ON(orig_ops[i]->priority < prio);
if (orig_ops[i]->priority > prio)
prio = orig_ops[i]->priority;
}
#endif
}
int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
const struct nf_hook_ops *reg)
{
struct nf_hook_entries *new_hooks;
struct nf_hook_entries *p;
p = rcu_dereference_raw(*pp);
new_hooks = nf_hook_entries_grow(p, reg);
if (IS_ERR(new_hooks))
return PTR_ERR(new_hooks);
hooks_validate(new_hooks);
rcu_assign_pointer(*pp, new_hooks);
BUG_ON(p == new_hooks);
nf_hook_entries_free(p);
return 0;
}
EXPORT_SYMBOL_GPL(nf_hook_entries_insert_raw);
/*
* __nf_hook_entries_try_shrink - try to shrink hook array
*
* @old -- current hook blob at @pp
* @pp -- location of hook blob
*
* Hook unregistration must always succeed, so to-be-removed hooks
* are replaced by a dummy one that will just move to next hook.
*
* This counts the current dummy hooks, attempts to allocate new blob,
* copies the live hooks, then replaces and discards old one.
*
* return values:
*
* Returns address to free, or NULL.
*/
static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old,
struct nf_hook_entries __rcu **pp)
{
unsigned int i, j, skip = 0, hook_entries;
struct nf_hook_entries *new = NULL;
Annotation
- Immediate include surface: `linux/kernel.h`, `linux/netfilter.h`, `net/protocol.h`, `linux/init.h`, `linux/skbuff.h`, `linux/wait.h`, `linux/module.h`, `linux/interrupt.h`.
- Detected declarations: `function __nf_hook_entries_free`, `function nf_hook_entries_free`, `function accept_all`, `function nf_hook_entries_grow`, `function hooks_validate`, `function nf_hook_entries_insert_raw`, `function nf_hook_entry_head`, `function nf_ingress_check`, `function nf_ingress_hook`, `function nf_egress_hook`.
- Atlas domain: Networking Core / Sockets, Protocols, Packet Path, And Network Policy.
- Implementation status: integration implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.